'MSAL PublicClientApplicationBuilder with AzureAD external user cannot access SharePoint

We have a Windows Application using MSAL with PublicClientApplicationBuilder to access SharePoint with the delegated permissions of the logged on user.

When our code is used with a login of a user who was invited as an external user in another AzureAD and his user is added to the members of a SharePoint site collection, we get an access token which results in HTTP 401. Using a user from the other AzureAD directly to log in does work. It is just with external user, we fail to get access.

When the user logs into SharePoint in the browser, using his external user login, he can access the other tenants SharePoint. So his external user account has permissions on that site collection, but it works only in the browser, not from our MSAL client.

Some details:

We created the app registration as multi tenant app in our AzureAD with the needed read and write permissions from the SharePoint delegated permission list.

An admin of the other AzureAD consented the delegated permissions for all users and we did the same in our AzureAD. So no matter which user tries to login and use the app will find consented permissions.

We use this code to get a public client app:

var clientAppId = "our-app-clientID";
var redirectUri = "https://login.microsoftonline.com/common/oauth2/nativeclient";

_clientApp = PublicClientApplicationBuilder.Create(clientAppId)
.WithRedirectUri(redirectUri)
.WithLogging(Log, LogLevel.Verbose, false)
// .WithTenantId("we tried our and the other tenants ID")
.Build();

The commented line .WithTenantId was just added while we tried to find a solution.

We can see that it makes a difference for the token content. Without that line or with our tenantId we see the users "oid" is the objectId from the user in our AzureAD.

When we use the tenantId of the other AzureAD, we get the oid of the external user object in that other AzureAD.

So we had hopes that the latter call would succeed, but it fails as well, this time with HTTP 403. So the user token seems to get a bit further, but still not to the SharePoint site collection.

Any idea if this scenario is possible?

Would be nice, if possible and best if we would not have to call WithTenantId because otherwise we would some need to lookup the correct tenantId on the client machine - not sure where to get it from, except asking an admin from the other tenant and putting the value in some app config file or the Windows registry.

sharepointazure-active-directorymsal


Solution 1:[1]

• The issue most probably according to your description suggests that the scopes might not be added correctly to the ‘Sharepoint API’ because since you are accessing the sharepoint site from a public client using MSAL authentication, the scopes/permissions to access the sharepoint site from a public client in Azure AD needs to be added and extended to service the requests from external user accounts also.

To do so, you need to add scopes/permissions to Sharepoint API through the Azure portal as when you are calling SharePoint APIs outside of the Microsoft Graph, you call ‘/_api/web/lists’ and it will retrieve all the lists. Thus, if your public client app performs this action using the Microsoft Graph API permissions then you will get an access denied error message as you are encountering HTTP 403 error.

• Thus, in your case, to access the sharepoint sites, you will need to add the scopes ‘AllSites.Read’ and ‘Sites.ReadWrite.All’ to the Sharepoint API for your public client app as the scope for ‘Sites.Read’ in the Microsoft Graph API isn’t enough for it. Also, ensure to add the ‘https://<domain>.sharepoint.com/AllSites.Write’ and ‘https://<yoursite>.sharepoint.com/Sites.ReadWrite.All’ scopes also to the Sharepoint API for that public client app.

Sharepoint API permissions Sharepoint API site scopes

To access the Sharepoint API through public client, you use AAD auth for which Microsoft recommends using a certificate rather than a secret. For more information regarding this, kindly use the below documentation link: -

https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows#client-credentials

• Also, ensure that ‘https://microsoft.sharepoint-df.com/Sites.Search.All’ and ‘https://yourtenant.sharepoint.com/Sites.Search.All’ are also added as scope in your application as Sharepoint online site might reject the token because of invalid audience.

For more information regarding the scope modification, kindly refer the below link for more details: -

https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/400

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 KartikBhiwapurkar-MT

Related Questions

Infopath Newbie - Populate field from lookup value

SharePoint 2010 - How to print InfoPath form for list item

SharePoint 2010 - How to print InfoPath form for list item

You do not have permission to do this operation

How to add a Web Part Zone to a SharePoint wiki page?

How to retrieve list item attachments with SharePoint 2013 Event Receiver in correct order

SharePoint Cascading Dropdown with CAML query that filters one of the choices

Sharepoint list retriving and updating using VBA

Creating a custom view style in Sharepoint 2013?

Get file name from document library

How to get item ID of the last modified item in the SharePoint online list using pnp powershell?

Sharepoint Power PI Connection Requiring Input Of Credentials

how to use MFA to login sharepoint python

How to create a template out of a page layout in SharePoint 2010

How to provision Publishing Pages in SharePoint Online using PnP Provisioning Engine?